Antivirus software is one of those things we can often take for granted. Many people have a “set it and forget it” approach to their antivirus settings. Or they may be under the misconception that antivirus software simply scans your files for viruses.
However, antivirus software is far more complex than that. Understanding exactly how antivirus software works, how it detects and neutralizes threats, can make you far more proficient in using antivirus software. In this article, we will discuss exactly how antivirus software protects you from threats.
Basic On-Access Scanning
The main protection of most antivirus software is on-access scanning – this can go under many names, depending on the company. It can be called “real-time protection”, “background scanning”, “resident scanning”, or something else. This website does a great job of reviewing many of the available antivirus softwares, and how they stack up against each other in threat detection.
What on-access scanning mainly does is check files as they’re opened for threats. Whenever you launch an application, or open a Word document, or any kind of file that launches an activity associated with it, your antivirus software scans the file and compares it to the known virus database.
Heuristic Analysis
Your antivirus software will also do heuristic scanning – this scans the file for known virus-like behaviour. This is because new viruses are being released into the wild all the time, so by detecting virus-like behaviour, your antivirus software will also attempt to catch new, unknown viruses.
The kind of typical virus behaviour that heuristic scanning checks for is things like launching other .exe’s, particularly critical system applications. Viruses often try to launch system applications, or run command line scripts, to infect system files – such as by overwriting system files with virus-infected ones. Thus, if an application has this kind of behavior written into the .exe file, the heuristic scanning will catch it – whether or not the application contains a “known” virus.
What are false positives?
Heuristic scanning is not always perfect – it can be a bit too aggressive. This is where “false positives” come from. You might download an application for the exact purpose of modifying system files intentionally. An application that allows you to customize / theme various parts of your Windows interface, for example.
Even if the application is completely safe, the very fact it modifies system files triggers your antivirus, and causes it to automatically quarantine / delete the application (to the annoyance of the user, who needs to download the application all over again, or retrieve it from the quarantine archives of the antivirus software). Advanced users are often aware of this behavior, and use a whitelist – a set of customizable rules within the antivirus software (don’t scan these folders, do not delete this application, etc).
Full-System and Scheduled Scans
On-access virus scanning and heuristics are generally quite fast, hence why your applications still launch almost instantly. Your antivirus software only considers the application being launched, which takes only a second on modern computers.
Full-system scans do exactly what they say – it is a complete scan of your entire computer, every single file, no matter how deeply buried. Depending on the size of your hard drive, and the overall performance of your computer, this can take quite a while.
It’s usually not necessary to regularly perform full-systems very frequently. They’re usually for when you believe you’ve been infected. It’s kind of like getting a CAT scan when you just want a routine physical checkup. However, antivirus software usually schedules “light” system scans, often set for midnight hours. These light system scans are not as intensive as full-system scans, but still cover most of the bases of your operating system.
Some experts recommend performing a manual full-system scan once a week, or even once even two weeks, which is probably a good idea. You have nothing to lose, other than the hour or two a full-system scan might take.